In Wake of Latest Crypto Revelations, ‘Everything is Suspect’

So now that RSA Security has urged developers to back away from the table and stop using the maligned Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) algorithm, the question begging to be asked is why did RSA use it in the first place?

Going back to 2007 and a seminal presentation at the CRYPTO conference by Dan Shumow and Niels Ferguson, there have been suspicions about Dual EC DRBG primarily because it was backed by the National Security Agency, which initially proposed the algorithm as a standard. Cryptographer Bruce Schneier wrote in a 2007 essay that the algorithm contains a weakness that “can only be described as a backdoor.”

Given the current climate and revelations about NSA surveillance of Americans, and implications the spy agency manipulated standards efforts, in particular those overseen by NIST, Dual EC DRBG and other crypto standards are going to be scrutinized top to bottom—not to mention the deterioration of trust in any product built on that standard.

“I wrote about it in 2007 and said it was suspect. I didn’t like it back then because it was from the government,” Schneier told Threatpost today. “It was designed so that it could contain a backdoor. Back then I was suspicious, now I’m terrified.

Iin his essay, Schneier wrote that not only was the algorithm derided as slow compared to better available algorithms, but it had a bias, meaning that the random numbers it generates aren’t so random. Dual EC DRBG was one of four approved random bit generators in NIST Special Publication 800-90, but it sticks out like a sore thumb.

“What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output,” Schneier wrote. “To put that in real terms, you only need to monitor one TLS Internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

“The researchers don’t know what the secret numbers are,” Schneier said. “But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.”

RSA advised its developer customers via email yesterday to no longer use the algorithm, following a similar NIST recommendation last week. The algorithm is the default pseudo random number generator in a number of RSA products, including the RSA BSAFE libraries and RSA’s key management product RSA Data Protection Manager. BSAFE is embedded in many applications, providing cryptography, digital certificates and TLS security. RSA said the current product documentation can help developers change the PRNG in their respective implementations. RSA also said it would review its products to determine where the algorithm is in use and make the appropriate changes.

RSA CTO Sam Curry told Wired magazine, which first reported the story yesterday, the algorithm has been part of RSA libraries since 2004, two years before it was approved by NIST.

“Every product that we at RSA make, if it has a crypto function, we may or may not ourselves have decided to use this algorithm,” Curry told Wired. “So we’re also going to go through and make sure that we ourselves follow our own advice and aren’t using this algorithm.”

Matthew Green, a cryptographer and research professor at Johns Hopkins University, said RSA had no good reason to use the algorithm, and its decision to do so puts the security of any product using the BSAFE library into question.

“There’s no good reason whatsoever, just none,” Green said. “There was no good reason before the [Crypto 2007] backdoor presentation. It was a poor decision then, and afterwards I kind of think it was malpractice. People have known about this for a long time.”

RSA’s core product, its SecurID two-factor authentication tokens, was breached in 2011 and data stolen in that attack was used to attack Lockheed Martin and others in the defense industry. RSA said it spent more than $66 million cleaning up from the attack and helping customers. An untold number of RSA SecurID tokens were recalled and replaced. A source close to the matter told Threatpost that SecurID currently does not use the Dual EC DRBG random number generator, nor did it prior to the 2011 attack.

In the meantime, the immediate fallout is that we should expect more technology companies to make similar announcements about NIST-approved and NSA-influenced encryption. Experts are concerned too about the damage being inflicted upon NIST as a standards body. It’s likely these revelations will force greater scrutiny on the NIST-NSA relationship and nudge users and providers away from the standard in time.

“The U.S. has had an enormous influence on crypto around the world because we have NIST,” Green said in an interview before the RSA news broke. “You could see people break away from NIST, which would hurt everyone, and move to regional standards. That stuff is a problem.

“We trust NIST because there are a lot smart people there. If you split up into regions, it’s possible things could get less secure,” Green added. “You could end up with more vulnerabilities; standards get weaker the less effort you put into it.”

Schneier agreed that scrutiny will tighten on NIST.

“The fact is, NIST has been tarnished badly, and we really need them,” he said. “This is the biggest problem: The NSA has broken the fundamental social contract of the Internet.”

Comments (6)

For some reason, people are not seeing what’s egregiously obvious: By attracting attention to this trivial, deliberate backdoor, the NSA has made sure that the real trapdoors stay hidden. Do people think NSA cryptographers are stupid? Why would the NSA commit such a security blunder, which amounts to Michael Jordan missing an unchallenged layup? Nonetheless, perhaps this shows that the NSA is just as skilled in psy-ops as in cryptography.

If there ever was an internet social contract, it was only agreed to by a small number of academics and early adopters. No one has ever had to sign anything. Even if there had been a contract, NSA would have signed it and ignored it.

The only way forward now for serious people is to assume that at the present time nothing they transmit over a public network is private. A shared non-belief in the usefulness of current privacy schemes may later form the basis for new efforts to create intentionally narrower, more limited forms of electronic privacy.

We may never be able to hide information about who we are communicating with over a public network. I write “systematically” because ad hoc schemes using (yes!) obscurity will still be as available as they always have been.

Finally, all this NSA foolery can be interpreted as yet another instance of the old pre-electronic truism: anything that people can encrypt, others will eventually decrypt. This time around it was not code-cracking but people-cracking that did the trick.

I agree: a “social contract” is an abstract concept which is obeyed as an act of cooperation by people acting wisely and in good faith. As such, it does not have any effect on an organization such as the NSA, whose entire purpose is to eavesdrop and deceive. To expect NSA to obey some sort of unwritten law would be similar to assuming that a boxer would be kind and polite to everyone in the boxing ring. It just isn’t in the nature of his work to do so.

In the second quarter of 2015 Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources. There were 5,903,377 registered notifications about attempte...

Innovative technologies are conquering the financial market, opening up new opportunities for startups. The volume of investment in projects for the banking sector is constantly growing, as is its pot...